[TriLUG] wireless security

Jeremy West jkwest at rmci.net
Sat Aug 21 01:04:10 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The first option in this instance is the most viable.  The setting involves 
trusted members coming over to the building in between classes (NC State 
campus) and connecting to the wireless.  Ease of use, and low maintenance is 
a must.

Thanks!

On Friday 20 August 2004 12:30 pm, Mike Johnson wrote:
> Jeremy West [jkwest at lagrandeapartments.com] wrote:
> > Situation:  I'm installing wireless internet access for a building in the
> > NC State campus area.  The owners are concerned about security
> > (obviously).  Now I can do the whole WEP thing, some mac authentication,
> > and NAT'ing magic. But... is there a better way?  I'll working on a
> > limited budget.
>
> Remember what WEP means: Wired Equivalent Privacy.  That means that it
> only provides the same amount of 'security' as someone plugging into
> your LAN.  WEP is -not- security.  Treat a wireless link like you would
> any clear text traffic travelling over the internet.  Once you think of
> it that way, you can kind of wrap your mind around how to protect it.
>
> There's two things you have to secure, here.  One is the traffic that's
> flowing across the link.  The other is access to the wireless network.
> One route you might take is a little WEP, mac auth, and some other NAT
> magic and not really concern yourself much beyond that point with
> securing access to the wireless network.  This requires that all
> communications across the link be 'secured' at an application level.
> For instance, make sure that all mail crossing the link is using SSL
> (SMTP and IMAP/POP) and all important web straffic is also using SSL.
>
> The other, more preferred way to secure all this, is to run a VPN over
> the link.  Have network VPN nodes at either end of the link, and have
> those nodes -only- accept encrypted traffic.  This means that an
> attacker might associate with your wireless access points, but they
> cannot actually use it for anything (perhaps other than being a
> nuisance).  With this in place, you can be certain that your
> communications across the wireless network  are as protected as you
> can make them.
>
> > Would it be easier to setup the server as a wireless access point, or use
> > a blackbox (linksys senario)?
>
> Eh, the access point doesn't matter as much.  Though, a pair of linux
> boxes with wireless NICs and OpenVPN would be pretty easy to implement.
>
> Mike
> --
> "Spare me your space-age technobabble Atilla The Hun!" --  Zapp Brannigan
>
> GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
> GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc

- -- 
//---------------------------
"I had a life once... now I have a computer and DSL"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBJtfMgZTWPj0VdaQRAtI9AJ48bOls6Pci8gA5Dgok8i2xj0nI4gCdFv5S
N4fq65yDoZSe6Vj4owrHym0=
=ht4i
-----END PGP SIGNATURE-----



More information about the TriLUG mailing list